[Freeipa-devel] [PATCH 0179] Preserve user principal aliases during rename operation
Martin Babinsky
mbabinsk at redhat.com
Wed Jul 13 14:19:16 UTC 2016
On 07/13/2016 03:08 PM, Simo Sorce wrote:
> On Wed, 2016-07-13 at 14:37 +0200, Petr Vobornik wrote:
>> On 07/12/2016 04:19 PM, Simo Sorce wrote:
>>>
>>> On Tue, 2016-07-12 at 15:46 +0200, Martin Babinsky wrote:
>>>>
>>>> On 07/12/2016 02:00 PM, Martin Babinsky wrote:
>>>>>
>>>>>
>>>>> On 07/12/2016 01:05 PM, Alexander Bokovoy wrote:
>>>>>>
>>>>>>
>>>>>> On Mon, 11 Jul 2016, Martin Babinsky wrote:
>>>>>>>
>>>>>>>
>>>>>>> From 185bde00a76459430d95ff207bf1fb3fe31e811a Mon Sep 17
>>>>>>> 00:00:00 2001
>>>>>>> From: Martin Babinsky <mbabinsk at redhat.com>
>>>>>>> Date: Fri, 1 Jul 2016 18:09:04 +0200
>>>>>>> Subject: [PATCH] Preserve user principal aliases during
>>>>>>> rename
>>>>>>> operation
>>>>>>>
>>>>>>> When a MODRDN is performed on the user entry, the MODRDN
>>>>>>> plugin
>>>>>>> resets
>>>>>>> both
>>>>>>> krbPrincipalName and krbCanonicalName to the value
>>>>>>> constructed
>>>>>>> from
>>>>>>> uid. In
>>>>>>> doing so, hovewer, any principal aliases added to the
>>>>>>> krbPrincipalName
>>>>>>> are
>>>>>>> wiped clean. In this patch old aliases are fetched before
>>>>>>> the
>>>>>>> MODRDN
>>>>>>> operation
>>>>>>> takes place and inserted back after it is performed.
>>>>>>>
>>>>>>> This also preserves previous user logins which can be used
>>>>>>> further for
>>>>>>> authentication as aliases.
>>>>>>>
>>>>>>> https://fedorahosted.org/freeipa/ticket/6028
>>>>>>> ---
>>>>>>> ipaserver/plugins/baseuser.py | 46
>>>>>>> +++++++++++++++++++++++++++++++++++++++++++
>>>>>>> 1 file changed, 46 insertions(+)
>>>>>>>
>>>>>>> diff --git a/ipaserver/plugins/baseuser.py
>>>>>>> b/ipaserver/plugins/baseuser.py
>>>>>>> index
>>>>>>> 0052e718afe639bcc1c0a698ded39ea8407a0551..e4288a5a131157815
>>>>>>> ffb2
>>>>>>> 452692a7edb342f6ac3
>>>>>>>
>>>>>>> 100644
>>>>>>> --- a/ipaserver/plugins/baseuser.py
>>>>>>> +++ b/ipaserver/plugins/baseuser.py
>>>>>>> @@ -498,6 +498,50 @@ class baseuser_mod(LDAPUpdate):
>>>>>>> len =
>>>>>>> int(config.get('ipamaxusernamelength')[0])
>>>>>>> )
>>>>>>> )
>>>>>>> +
>>>>>>> + def preserve_krbprincipalname_pre(self, ldap,
>>>>>>> entry_attrs,
>>>>>>> *keys,
>>>>>>> **options):
>>>>>>> + """
>>>>>>> + preserve user principal aliases during rename
>>>>>>> operation. This
>>>>>>> is the
>>>>>>> + pre-callback part of this. Another method called
>>>>>>> during
>>>>>>> post-callback
>>>>>>> + shall insert the principals back
>>>>>>> + """
>>>>>>> + if options.get('rename', None) is None:
>>>>>>> + return
>>>>>>> +
>>>>>>> + try:
>>>>>>> + old_entry = ldap.get_entry(
>>>>>>> + entry_attrs.dn, attrs_list=(
>>>>>>> + 'krbprincipalname',
>>>>>>> 'krbcanonicalname'))
>>>>>>> +
>>>>>>> + if 'krbcanonicalname' not in old_entry:
>>>>>>> + return
>>>>>>> + except errors.NotFound:
>>>>>>> + self.obj.handle_not_found(*keys)
>>>>>>> +
>>>>>>> + self.context.krbprincipalname = old_entry.get(
>>>>>>> + 'krbprincipalname', [])
>>>>>>> +
>>>>>>> + def preserve_krbprincipalname_post(self, ldap,
>>>>>>> entry_attrs,
>>>>>>> **options):
>>>>>>> + """
>>>>>>> + Insert the preserved aliases back to the user
>>>>>>> entry
>>>>>>> during
>>>>>>> rename
>>>>>>> + operation
>>>>>>> + """
>>>>>>> + if options.get('rename', None) is None or not
>>>>>>> hasattr(
>>>>>>> + self.context, 'krbprincipalname'):
>>>>>>> + return
>>>>>>> +
>>>>>>> + obj_pkey =
>>>>>>> self.obj.get_primary_key_from_dn(entry_attrs.dn)
>>>>>>> + canonical_name =
>>>>>>> entry_attrs['krbcanonicalname'][0]
>>>>>>> +
>>>>>>> + principals_to_add = tuple(p for p in
>>>>>>> self.context.krbprincipalname if
>>>>>>> + p != canonical_name)
>>>>>>> +
>>>>>>> + if principals_to_add:
>>>>>>> + result = self.api.Command.user_add_principal(
>>>>>>> + obj_pkey, principals_to_add)['result']
>>>>>>> +
>>>>>>> + entry_attrs['krbprincipalname'] =
>>>>>>> result.get('krbprincipalname', [])
>>>>>>> +
>>>>>>> def check_mail(self, entry_attrs):
>>>>>>> if 'mail' in entry_attrs:
>>>>>>> entry_attrs['mail'] =
>>>>>>> self.obj.normalize_and_validate_email(entry_attrs['mail'])
>>>>>>> @@ -557,9 +601,11 @@ class baseuser_mod(LDAPUpdate):
>>>>>>>
>>>>>>> self.check_objectclass(ldap, dn, entry_attrs)
>>>>>>> self.obj.convert_usercertificate_pre(entry_attrs)
>>>>>>> + self.preserve_krbprincipalname_pre(ldap,
>>>>>>> entry_attrs,
>>>>>>> *keys,
>>>>>>> **options)
>>>>>>>
>>>>>>> def post_common_callback(self, ldap, dn, entry_attrs,
>>>>>>> *keys,
>>>>>>> **options):
>>>>>>> assert isinstance(dn, DN)
>>>>>>> + self.preserve_krbprincipalname_post(ldap,
>>>>>>> entry_attrs,
>>>>>>> **options)
>>>>>>> if options.get('random', False):
>>>>>>> try:
>>>>>>> entry_attrs['randompassword'] =
>>>>>>> unicode(getattr(context, 'randompassword'))
>>>>>>> --
>>>>>>> 2.5.5
>>>>>>>
>>>>>> The approach looks good.
>>>>>>
>>>>>> For the record, we also support aliases for hosts and service
>>>>>> kerberos
>>>>>> principals but we don't support rename options for them, so
>>>>>> there
>>>>>> is no
>>>>>> need to add similar logic there.
>>>>>>
>>>>>>
>>>>> That's right, I have updated the corresponding section of the
>>>>> design
>>>>> page [1] for future reference.
>>>>>
>>>>> [1]
>>>>> http://www.freeipa.org/page/V4/Kerberos_principal_aliases#Manag
>>>>> emen
>>>>> t_framework
>>>>>
>>>>>
>>>> Adding Simo to the loop since he is not convinced that this is
>>>> the
>>>> right
>>>> behavior. As I see it, it seems to not be a security issue but
>>>> more
>>>> of a
>>>> different expectations about the perceived correct behavior in
>>>> this
>>>> particular situation.
>>>>
>>>> I can see the use case in keeping the old aliases, e.g. keeping
>>>> the
>>>> old
>>>> credentials after legal name change, but I can also see the
>>>> available
>>>> space for user principal names piling up and cluttering quickly
>>>> in
>>>> large
>>>> organizations.
>>> after some thinking I think it is ok to keep by default and then
>>> drop
>>> as it avoid races if you do really want to keep the aliases.
>>>
>>> However the CLI/UI should probably offer a button/switch to allow
>>> to
>>> drop all aliases on rename, what it would do would be to modify the
>>> entry after the rename and drop the aliases.
>>>
>>> I am a bit uncertain what to do by default with the "original
>>> name".
>>> I can see it going both ways on whether to keep it by default or
>>> not.
>> Ideally we would have e.g.
>>
>> ipa user-rename oldCN --remove-aliases
>>
>> which would drop everything including oldCN (I would expect that).
>
> I lean toward this conclusion too given that a later "--remove-alias"
> would drop it, and we want to behave consistently.
>
Makes sense to me, too.
>> Unfortunately we have --rename in mod command
>> ipa user-mod oldCN --rename newCn --remove-aliases
>>
>> And there --remove-aliases might not be the best thing.
>
> Why not ?
>
>> Do we want to support also:
>> ipa user-mod CN --remove-aliases
>
> Yes we probably want to give the option to drop aliases if an admin
> realizes he should have done it at rename time but didn't.
>
> Simo.
>
In that case he can still use `user-remove-principal` to manually remove
them.
--
Martin^3 Babinsky
More information about the Freeipa-devel
mailing list